{{$app := .AppName | kebabcase}} # Run Your DevSecOps Pipeline Usage ## Notes ### Simple security and compliance template and dashboard Security and compliance are critical aspects of product release. Organizations struggle to track application release status information and understand security & compliance risks across many different applications, teams, and environments. When risk assessment, security testing, and compliance checks aren’t built into the Continuous Integration/Continuous Delivery (CI/CD) pipeline, releases fail and cause delays, security vulnerabilities threaten production, and IT governance violations result in expensive fines. This blueprint provides a way to integrate tools like SonarQube, Fortify, Checkmarx, and Black Duck into release pipeline. {{- if .ConfigureSonar}} #### SonarQube SonarQube is an open source platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities in application source code. {{- end}} {{- if .ConfigureFortify}} #### Fortify SSC Fortify Software Security Center (SSC) provides centralized management of their application security testing. Security teams use SSC to review and manage security testing activities, prioritize remediation efforts based on risk potential, measure improvements and generate cross portfolio management reports. #### Fortify on Demand Fortify on Demand provides software security analysis as a service. It can evaluate application code against selected security metrics. {{- end}} {{- if .ConfigureCheckmarx}} #### Checkmarx Checkmarx provides Checkmarx Static Application Security Testing (CxSAST) and Checkmarx Open Source Analysis (CxOSA). CxSAST automatically scan uncompiled code and identify security vulnerabilities. CxOSA provides a way to control and manage open source components and mitigate potential risks to the application, organizations and its users. {{- end}} {{- if .ConfigureBlackduck}} ### Black Duck Black Duck provides a complete open source management solution. It can identify potential security risks, license risks and operational risks for open source components. {{- end}} ## Start the XL Platform {{if eq .GenerateDockerComposeSetup true}} Follow the instructions in `xebialabs/USAGE-docker-compose.md`. {{else}} Make sure your existing XL Platform is up and running and accessible. {{end}} ## Deploy the blueprint to the XL Platform To deploy this blueprint to the XebiaLabs DevOps Platform, open up a terminal in the folder where you generated the configuration. Then run: ```plain xl apply -f xebialabs.yaml ``` ## Deploy the template Go to XL Release and click on `{{$app}}` under the 'Design' tab. ### Provision the template 1. Click 'New Release' under `{{$app}} security & compliance`. 1. Give the Release a name. 2. Click 'Create'. 3. Click 'Start Release'. ## Extras * Check the latest status using 'Design' > `{{$app}}` > 'Dashboards' tab > 'Security and Compliance'.